nationwide interception of Facebook & webmail login credentials in Tunisia

[Passive PROFITS]

--- On Wed, 1/26/11, Roland Perry <lists at internetpolicyagency.com> wrote:

> From: Roland Perry <lists at internetpolicyagency.com>
> Subject: Re: nationwide interception of Facebook & webmail login credentials in Tunisia
> To: ukcrypto at chiark.greenend.org.uk
> Date: Wednesday, January 26, 2011, 2:49 AM
> In article <AANLkTimn_sUK8=CQmMNZECz508Dxdy0a3npJorOvR8f_ at mail.gmail.com>,
> Mark Lomas <ukcrypto at absent-minded.com>
> writes

> > May I conduct an informal survey? Who on this mailing
> list has not removed any of the CA certificates that were
> pre-installed by whoever supplied your browser?

Playing email catch up today ...

I have not removed any; like Nicholas, I simply don't trust any of them.  I only trust self signed certs these days, and then, only if I've received a fingerprint (of the cert), under digitally signed encrypted email (obviously with the signature showing valid), direct from someone I know who is an owner of the website in question (alternatively, have taken the fingerprint from the website concerned, where the HTML page itself has a detached signature for it or is signed, itself).  

This moves the debate obviously, to is the (PGP) key genuine (a whole other area of debate which I do not have the time to comment on), and does the website owner know enough about security to have kept their private key/passphrase, secure.  

If the website owner knows enough about crypto, that's as good as you're going to get AFAIK.  Obviously if they use windows; you can forget it (IMHO) {though also see comment next re: OpenBSD}.

To respond to John Young's comment (sorry John, I missed that when first posted); essentially I agree - there is no such thing as a secure network; only levels of security, but if you're a big enough target, they'll get you somehow (even if it be simply by pin-head camera in front of (i.e. looking at) your computer screen (and/or keyboard), where TEMPEST attack, itself, would not even be required.

Summary:  the entire system of certificates is a joke (unless self-issued/signed, fingerprinted, and the fingerprint distributed under digital signature).  Cert Patrol is also, obviously required; or a manual check, each time the website is visited, to ensure no cert substitution has taken place.

As the recent disclosure of the OpenBSD backdoor shows (if that has not been shown to be a joke of some sort); the governments of the world (in particular the USA), are a total bunch of hypocrites - they want an insecure Internet, so they can have total control, over it.  ref:  Internet kill-switch debate (today?) in the USA.  The governments want security for them, and insecurity for everyone else.  It seems they have still not worked it out, that an 'insecure everybody else', means they cannot, themselves, be secure.  Go figure.

That's my take on it ATM, anyway.  Unfortunately I don't see things changing too much, either, not in the short term. :(

Best,

PP